Skip to main content

Troubleshooting FAQs

Tip

You can visit our Support Center to find helpful articles and submit a support ticket.

If you're having trouble importing your profile, try some of the tips below. Or refer to specific help for importing your profile on Android or iOS.

  • When you import a .ovpn file, ensure that all files referenced by the .ovpn file, such as ca, crt, and key, are in the same directory on the device as the .ovpn file.

  • Profiles must be UTF-8 (or ASCII) and under 256 KB in size.

  • Consider using the unified format for OpenVPN profiles, which allows embedding all certs and keys into the .ovpn file. This simplifies management of the OpenVPN configuration by integrating all configuration elements into a single file. For example, a traditional OpenVPN profile might specify certs and keys as follows:

    ca ca.crt
    cert client.crt
    key client.key
    tls-auth ta.key 1

    You can convert the usage to unified form by pasting the content of the certificate and key files directly into the OpenVPN profile as follows, using an XML-like syntax:

    <ca>
    -----BEGIN CERTIFICATE-----
    MIIBszCCARygAwIBAgIE...
    . . .
    /NygscQs1bxBSZ0X3KRk...
    Lq9iNBNgWg==
    -----END CERTIFICATE-----
    </ca>
    
    <cert>
    -----BEGIN CERTIFICATE-----
    . . .
    </cert>
    
    <key>
    -----BEGIN RSA PRIVATE KEY-----
    . . .
    </key>
    
    key-direction 1
    <tls-auth>
    -----BEGIN OpenVPN Static key V1-----
    . . .
    </tls-auth>

    Another approach to eliminate certificates and keys from the OpenVPN profile is to use the OS keychain.

    Note

    When converting tls-auth to unified format, check if there is a second parameter after the filemane (usually a 0 or 1). This parameter is the key-direction parameter and must be specified as a standalone directive when tls-auth is converted to unified format.

    As an example, if the parameter is 1, add this line to the profile:

    key-direction 1

    If there isn't a second parameter to tls-auth, add this line to the profile:

    key-direction bidirectional

You can provide OpenVPN Connect with a server connection list. On connection failure, OpenVPN Connect rotates through the list until it finds a responsive server.

For example, based on the following entries in the connection profile, OpenVPN Connect tries to connect to server A via UDP port 1194, then TCP port 443, then repeats the process with server B. OpenVPN Connect continues to retry until it successfully connects or hits the connection timeout, which you can configure in the settings.

remote server-a.example.tld 1194 udp
remote server-a.example.tld 443 tcp
remote server-b.example.tld 1194 udp
remote server-b.example.tld 443 tcp

Yes, you can import any number of profiles from the Import menu:

  1. Launch OpenVPN Connect.

  2. Tap the Add icon.

  3. Enter the URL and username credentials or import from file.

  4. To connect to the profile, tap the profile’s radio button.

  5. Enter your password.

    • OpenVPN Connect assigns a name to the profile based on the server hostname, username, and filename. If you import a profile with the same name as an existing one, OpenVPN Connect adds (1), (2), etc. to the profile name.

If you have a profile that connects to a server without a client certificate/key, you must include the following directive in your profile:

setenv CLIENT_CERT 0

This directive is necessary to resolve the ambiguity of the profile not having a client certificate or key. When there isn’t a client certificate or key in the profile, OpenVPN Connect doesn’t know whether to obtain an external certificate/key pair from the mobile OS Keychain or whether the server requires a client certificate/key. For example, a server that doesn’t require a client certificate/key is configured with the client-cert-not-required directive. The option is given as a “setenv” to avoid breaking other OpenVPN clients that might not recognize it.

Yes, all traffic routes through the VPN tunnel with a profile that uses redirect-gateway, but with some important exceptions:

  • Apple services such as Push Notifications and FaceTime never route through a VPN tunnel, per Apple policy.

  • During pauseresume, and reconnect states—such as when transitioning between Wi-Fi and Cellular data—the VPN tunnel may temporarily disengage, allowing network traffic to bypass the tunnel and route directly to the internet. If you are running iOS 8 or higher, you can enable the Seamless Tunnel Setting in the OpenVPN section of the Settings App. It will make a best effort to keep the tunnel active during pauseresume, and reconnect states to prevent packet leakage to the internet.

You can provide OpenVPN Connect with a server connection list. On connection failure, OpenVPN Connect rotates through the list until it finds a responsive server.

For example, based on the following entries in the connection profile, OpenVPN Connect tries to connect to server A via UDP port 1194, then TCP port 443, then repeats the process with server B. OpenVPN Connect continues to retry until it successfully connects or hits the connection timeout, which you can configure in the settings.

remote server-a.example.tld 1194 udp
remote server-a.example.tld 443 tcp
remote server-b.example.tld 1194 udp
remote server-b.example.tld 443 tcp

Yes, you can push an IPv6 DNS by using the same format used for IPv4 ones:

push "dhcp-option DNS 2001:abde::1"

Suppose you want to set up your local domain for automatic resolution. In that case, you can do this with either redirect-gateway or by configuring a VPN-specific DNS, then use the following command (with your domain instead of the example domain):

push "dhcp-option ADAPTER_DOMAIN_PREFIX foo.tld"

When the iOS DNS subsystem first tries to resolve a partly qualified domain name (PQDN), if it can’t succeed, it concatenates the PQDN with the system domain prefix (normally assigned by your uplink gateway, for example: ".lan"). The above command specifies a different domain to append by having the server push a special directive, including the new name.

See the tips for handling the following error messages.

BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

This error relates to cipher suites. To fix this, you can adjust the security level:

  1. Launch OpenVPN Connect.

  2. Tap the menu icon.

  3. Tap Settings.

  4. Tap to expand Advanced Settings.

  5. Set the Security Level to Legacy.

    • Legacy allows some older but still secure algorithms, including AES-CBC.

Certificate verification failed: x509 — certificate verification failed, e.g. crl, ca or signature check failed

This error occurs when a certificate can’t be adequately verified.

One example where certificate verification failure can occur is if you use an MD5-signed certificate. With an MD5-signed certificate, the security level is so low that the certificate's authenticity can’t be assured by any reasonable means. In other words, it could very well be a fake certificate. The solution is to use a certificate that is not signed with MD5 but with SHA256 or better. Refer to the MD5 signature algorithm support section for more information.

Digest_error: NONE: not usable

This error occurs if you specify both auth none and tls-auth in your client profile. This happens because tls-auth needs an auth digest, but it isn’t specified.

To resolve the error, remove the tls-auth directive. You can't enable it with auth none enabled.

Error parsing certificate: X509 — The date tag or value is invalid

This error occurs with a faulty certificate. Refer to this detailed forum post for more info.

SSL — Processing of the ServerKeyExchange handshake message failed

This error likely occurs when using older versions of OpenVPN/OpenSSL on the server side. Some users have solved this issue by updating their OpenVPN and OpenSSL software on the server side.

mbedTLS: error parsing cert certificate : X509 - The date tag or value is invalid

This error occurs with incorrectly formatted certificates. OpenVPN Connect 1.1.1 and newer has a more relaxed format check to accept certificates previously rejected with this error. For more, refer to this detailed forum post.

TLS Error: incoming packet authentication failed from [....]

When you encounter an error message similar to this on the server, this is from a directive change. With OpenVPN 1.0.1 and newer, we changed the default value for the key-direction directive to "bidirectional" for compatibility with the OpenVPN 2.x branch (previously, the default value was "1"). In general, profiles imported before upgrading should still work because the previous default is retained for such profiles. For help, refer to Help Transferring the .ovpn File to iOS or Help Transferring a Profile to Android.

For VPN-on-Demand profiles, refer to Can I Use iOS 6+ VPN-on-Demand With OpenVPN?.

If you have a profile that connects to a server without a client certificate/key, you must include the following directive in your profile:

setenv CLIENT_CERT 0

This directive is necessary to resolve the ambiguity of the profile not having a client certificate or key. When there isn’t a client certificate or key in the profile, OpenVPN Connect doesn’t know whether to obtain an external certificate/key pair from the mobile OS Keychain or whether the server requires a client certificate/key. For example, a server that doesn’t require a client certificate/key is configured with the client-cert-not-required directive. The option is given as a “setenv” to avoid breaking other OpenVPN clients that might not recognize it.

Set the following settings for OpenVPN Connect:

  • Launch Options: restore connection.

    Tip

    This is an option on Windows or macOS.

  • Connection Timeout: continuously retry.

Additionally, if you want to prevent apps from access the internet except through the VPN, enable Seamless Tunnel.

OpenVPN Connect 1.0.6 and newer installs the openvpn:// and openvpn-connect:// URL schemes, which you can detect with the following code (using the openvpn:// example):

BOOL installed = [application canOpenURL:[NSURL URLWithString:@"openvpn://"]];